Lazarus hacking group hiding a new variant of Dacls RAT in security app to target macOS users

The app is mostly used by Chinese speakers, as per researchers

Researchers from cyber security firm Malwarebyes claim to have identified a new variant of the Dacls Remote Access Trojan (RAT) specifically designed to target devices running Mac operating system (macOS).

Dacls RAT is attributed to North Korea-linked hacking group Lazarus and has been previously observed to infect Windows and Linux systems.

But, the new Dacls variant is different as it attacks only macOS users. The researchers found it hiding in a genuine two-factor authentication (2FA) app used to generate temporary access codes for 2FA.

The app, called "MinaOTP," claims to offer a variety of features including worm scanning, file management, command execution, and traffic proxying. It is mostly used by Chinese speakers, as per researchers.

On 8th April, a sample of a Trojanised version of the app with the name "TinkaOTP" was uploaded from Hong Kong to the VirusTotal scanning service. At that time, no malicious code was discovered in the app, according to researchers. However, the app was later found to contain a malicious file, which was detected by 23 out of 59 antivirus engines.

The main function of that malicious code is to enable hackers to hijack the infected system. After infecting the device, they can easily launch additional malicious programmes as well as upload, download, write, read or delete files on the device.

The code executes after system reboot and is added to the property list (plist) file used by LaunchAgents and LaunchDaemons to run apps at startup.

The researchers found that the names for the private and certificate files - "k_3872.Cls" and "c_2910.cls" in the macOS variant of Dacls were same as in the Windows and Linux variants.

"We believe this Mac variant of the Dcals RAT is associated with the Lazarus group, also known as Hidden Cobra and APT 38, an infamous North Korean threat actor performing cyber espionage and cyber-crime operations since 2009," the researchers stated in their report.

"The discovery of this Mac RAT shows that this APT group is constantly developing its malware toolset."

Lazarus became widely known in 2014 when it hacked Sony Pictures over the film The Interview, a comedy centring on the assassination of North Korean leader Kim Jong-un.

According to cyber security firm Group-IB, this notorious group stole more than $600 million worth of cryptocurrency in 2017 and 2018.

Earlier this year, researchers from Kaspersky warned that Lazarus was updating its attack tactics in efforts to remain undetected during cryptocurrency stealing campaigns. The researchers said they had found evidence that the group was using messaging app Telegram to deliver malicious files to potential targets in order to steal cryptocurrency.